Tuesday, April 22, 2014

Recursively Remove Mailbox Folder Permissions

You have been assigned a task to recursively remove mailbox permissions from a user mailbox in Exchange 2010/2013 using Exchange Server management tools. How would you go about doing this?

Well there is a PowerShell command in Exchange called "Remove-MailboxFolderPermission" but this command only allows you to remove permissions from one folder at a time. This cmdlet does not have a -Recursive option to allow you to propagate this against all sub folders. The Set-MailboxFolderPermission, Remove-MailboxFolderPermission and Get-MailboxFolderPermission commands can be run by users who are a member of any of the following groups:

Organization Management

Recipient Management

Help Desk

I can run these commands as a member of the Organization Management role group against any user in my environment as shown in the following screenshot:

Now if we want to recursively remove mailbox folder permissions from all folders within a mailbox, we still need to use the Remove-MailboxFolderPermission command however we need to pipe this command into another command allowing us to recursively move through all the folders in the mailbox as the Remove-MailboxFolderPermission does not support the recursive action. This can be done with the following command:

At this point however you may hit another problem. The Get-MailboxFolder cmdlet must be run under the user context who owns the mailbox. For example, I want to use the Get-MailboxFolder cmdlet which is required in the above command to view the Inbox folder of my bugs.bunny test user. To do this I run the following PowerShell command under my Administrator account which is a member of "Organization Management" but I get the following error:

If I run the same PowerShell command under the security context of bugs.bunny however, we will not have any issues. For example in the following screenshot I have the Exchange Management tools installed on a Windows 7 PC. I am going to run the Exchange Management Shell as the bugs.bunny user account and run the same command.

Now that my Exchange Management Shell is running as bugs.bunny, when I run the command I will receive no error.

Get-MailboxFolder Bugs.Bunny:\Inbox

Important: The Get-MailboxFolder command must be utilised under the security context of the user whom owns the mailbox.

Now that we understand the limitations with the Get-MailboxFolder cmdlet, we understand that in order to recursively remove mailbox permissions from a mailbox, we must run the following command under the security context of the user account in order for the Get-MailboxFolder recursive command to work successfully.

This method is not efficient as it involves the administrator contacting the user to gain access to their personal password.

There is however an alternative method for recursively removing permissions on a user mailbox using ExFolders, the new version of PFDavAdmin. Download the ExFolders tool from the following TechNet URL:

Once downloaded follow the instructions in the readme.txt file to install the tool and copy it to the Exchange bin folder. ExFolders allows you to browse permissions on any of the sub folders of a users mailbox by simply right clicking on the folder and navigating to permissions.

If you want to recursively change permissions, simply right click on the folder tree you want to recursively remove the permissions from and click "Propagate folder ACEs".

Select the user which you want to remove from all sub folders and click Remove.

This will go through every sub folder in the hierarchy and remove the permissions.

Note: If the user you want to remove has been granted rights to only specific sub folders throughout the hierarchy, add the user to the root folder first so you are able to select the user. For example if my Hulk Hogan user account had permissions to the alerts folder and one of my MVP folders, I would not be able to select the user from the root of the Inbox folder as it does not exist at this level. By adding it to the root of the Inbox folder first, I am able to select the user for a recursive remove.

Important: Before you can use ExFolders you must have full mailbox access of the recipient for which you are looking to modify. You can grant this using Exchange Management Console (EMC) by selecting "Manage Full Access Permission". See in the screenshot I provided the AT\Administrator account rights which is the account I used to run ExFolders.